Office of Internal Audit
Status Report
BOARD OF TRUSTEES
February 5, 2010
Office of Internal Audit
Date:
January 13, 2010
To:
Board of Trustees and Finance and Audit Committee
From:
Allen Vann, Audit Director
Subject:
OFFICE OF INTERNAL AUDIT STATUS REPORT
COMPLETED AUDITS AND INVESTIGATIONS
Since our last Finance and Audit Committee meeting on November 19, 2009 we completed the
following projects:
1.
University Asset Management Accounting Observations – Based on recent audits and
investigations and additional observations, we highlighted in this review a number of issues
relating to University personal property accounting that requires the attention of the Controller’s
Office. We reported the need to further strengthen surplus media procedures so as to ensure that
sensitive data are properly removed to avoid a data breach. Also, before donating surplus
property to nonprofit organizations better communication to the University community might
identify internal needs and when donating property staff needs to ensure that organizations
legitimately qualify as nonprofits.
There also needs to be greater accountability over attractive property items that fall under the
$1,000 property recording threshold. Our inventory records also have to more accurately reflect
personal property locations. Management has implemented or is in the process of implementing
the ten recommendations resulting from this review.
2.
Investigation of Improper Procurement Card Use and Questionable Payroll Transactions
in the College of Education – This report summarized the results of three investigations relating
to Procurement card use in the College of Education. Based on a complaint we initiated an
investigation to determine whether the University was defrauded as a result of the questionable
procurement activity. Based on our investigation, we concluded that an Administrative Assistant
misused the procurement card provided to her by the University by purchasing personal and
unallowable items. The Administrative Assistant also made procurement card transactions at the
direction of the former Interim Dean to reward certain employees.
The current Interim Dean of the College of Education Business in consultation with the Provost,
Human Resources, and Office of the General Counsel took appropriate disciplinary action
resulting in the separation from employment of the Administrative Assistant and the Office
Assistant responsible for approving her credit card transactions. The Office of Internal Audits
also referred this matter to FIU Police. An active criminal case is pending in the State Attorney’s
Office.
Office of Internal Audit Status Report
January 13, 2010
Page 2 of 3
3. Investigation of Improper Procurement Card Use at the College of Education – Former
Interim Dean – This report represents the second of three investigations of procurement card use
at the College of Education. This investigation focuses on the former Interim Dean of the
College, who subsequently returned to his responsibilities as a Professor at the College. Based
on our investigation, we concluded that the former Interim Dean misused the procurement card
provided to him by the University by purchasing personal and unallowable items. In addition, the
former Interim Dean instructed the Information Technology Director and the former
Administrative Assistant to purchase numerous personal and unallowable items for him and
others using their procurement cards. We also noted other instances of inappropriate and wasteful
spending made at the former Interim Dean’s direction. These expenditures included payment of
indiscriminate bonuses, payroll/timekeeping manipulation for an OPS employee, and wasteful
travel costs.
The current Interim Dean of the College of Education in consultation with the Provost, Human
Resources, and Office of the General Counsel is in the process of taking appropriate disciplinary
action resulting in the separation from employment of the Professor and monetary restitution.
4.
Investigation into Allegations Against a Professor at the College of Medicine – This
investigation was based on a complaint forwarded to us through the Division of Human
Resources alleging that a Professor at the College of Medicine had misused grant funds. Other
allegations were investigated by the Division of Human Resources, the Office of Sponsored
Research Administration (OSRA) and the College of Medicine (College).
Based on our investigation, we concluded that the Professor had several business relationships
outside the University that he should have reported. In addition, there were purchases of
computers which should not have been made using the University procurement card. Finally, our
review disclosed a weakness in the manner in which the College accounted for FedEx
transactions to ensure that shipments were business related. Otherwise the allegations were not
sustained, i.e., there was insufficient evidence to prove or disprove the allegation(s).
We made six recommendations that the College of Medicine agreed to implement.
Office of Internal Audit Status Report
January 13, 2010
Page 3 of 3
WORK IN PROGRESS
Audits/Investigations
Investigation of ProCard use at the College of Education
Investigation of ProCard use at the College of Medicine
Audit of the University Purchasing Card Program
Audit of the University’s IT Governance
Audit of Financial Controls Over College of Medicine Expenditures
Audit of the University’s Information System Continuity Plan
Audit of the Federal Stimulus Funds
Review of PeopleSoft Upgrade Implementation
Status
Fieldwork in progress
Fieldwork in progress
Fieldwork on hold
Fieldwork in progress
Fieldwork on hold
Fieldwork in progress
Fieldwork in progress
Fieldwork in progress
CONSULTING ACTIVITIES
In conjunction with our Interim Controller, I have designed and am providing training to University staff
on Understanding Fraud in University Credit Card Programs. This course provides fraud awareness
training to staff and an overview of related policies and required procedures.
RESULTS OF QUALITY ASSESSMENT
OF THE OFFICE OF INTERNAL AUDITS
At our last Finance and Audit Committee meeting, I provided a detailed report of a Quality SelfAssessment I performed of the Office of Internal Audit. Attached is an independent validation of our
assessment. I am pleased to inform you that the independent validator concluded that FIU’s internal
audit department conforms to the International Standards for the Professional Practice of Internal
Auditing,
FOLLOW-UP STATUS REPORTS
Due to time constraints and the short lead time between meetings we will update the Finance and Audit
Committee on the implementation status of audit recommendations at our next scheduled meeting.
Attachment
INDEPENDENT VALIDATION
QUALITY ASSESSMENT OF
FLORIDA INTERNATIONAL UNIVERSITY
OFFICE OF INTERNAL AUDIT
Drummond Kahn, MS, CIA, CGFM, CGAP
TABLE OF CONTENTS
Transmittal Letter
1
Table of Contents
2
Independent Validator Statement
3
Objective, Scope, and Methodology
4
Observed Strengths
6
Potential Challenges
9
Opportunities for Improvement and Recommended Action Items
10
2
OBJECTIVE, SCOPE AND METHODOLOGY
In November, 2009, I was engaged to conduct an independent validation of Florida
International University’s self-assessment (Quality Assessment) of its internal audit
function.
The primary objective of the validation was to verify the assertions made in the attached
quality self-assessment report concerning adequate fulfillment of the organization’s basic
expectations of the internal audit activity and its conformity to The Institute of Internal
Auditors’ (The IIA’s) International Standards for the Professional Practice of Internal
Auditing (Standards). Other matters that might have been covered in a full independent
assessment, such as an in-depth analysis of successful practices, governance, consulting
services, and use of advanced technology, were excluded from the scope of this
independent validation by agreement with the Audit Director.
The internal audit self-assessment, and my independent validation, used the Quality
Assessment Manual for the Internal Audit Activity (6th Edition) by the Institute of
Internal Auditors’ Research Foundation (2009).
The University’s internal audit function prepared an extensive self-assessment report, and
provided this report and its supporting documentation to me in November. I reviewed
this information and conducted a site visit in December. During the site visit, I met with
each internal auditor on the staff, and conducted interviews of each auditor, the Chief of
Staff to the President, the Chief Financial Officer, the Chief Information Officer, and the
Finance and Audit Committee Chair, using IIA guidance for interview topics and
questions, as well as follow-up questions as I deemed appropriate.
I had full access to internal audit documentation during my visit in December. I reviewed
workpapers from two audit engagements I selected, as well as many recently-issued audit
reports. I observed operating procedures in the office, discussed my questions from the
self-assessment with audit staff and the Audit Director, and reviewed resumes and the
professional and academic background of each auditor on the staff. In addition, I
reviewed the format for and two recent examples of the office’s “Audit Review
Checklist”, which appeared complete and appropriate and consistent with professional
practices to document assignment reviews.
I also reviewed survey responses from two surveys administered before and during the
site visit – a survey of auditees and university management, and a second survey of audit
staff members.
During my site visit, I had the full cooperation of all staff members and with the
individuals outside the audit function I interviewed. All offered frank and direct
feedback on the audit activity, and fully participated in the validation process.
4
I reviewed office processes and manuals/guidance, including the 2006 operations manual
(now under revision). I reviewed the audit function’s authority, process, charter; the
Board structure for management and the audit committee; the office’s status reporting
process to the audit committee and executive management; the followup process and
process for describing followup to management and the audit committee; and position
descriptions for audit staff.
After my site visit, I reviewed the self-assessment documentation again, as well as the
notes from my interviews and the IIA Quality Assessment Manual, prior to preparing this
final summary document. My notes and this document will be stored with the selfassessment working papers at Florida International University.
I conducted my work from November 2009 to January 2010 based on my knowledge and
experience in auditing (since 1990) and my experience leading and participating in
external quality reviews of several audit offices, as well as with the guidance from the
IIA Quality Assessment Manual described above.
I prepared the final documentation for this report in December 2009 and January 2010.
5
OBSERVED STRENGTHS
Florida International University’s audit function is strong, and complies with almost all
of the professional standards, per its self-assessment and this independent validation.
FIU’s Office of Internal Audit is effective in providing internal audit services to the
Trustees, senior management, and other interested parties. Especially notable are:

Auditors’ high level of skills, experience, and professionalism – The team of
auditors at FIU is highly trained and experienced. Those members new to FIU
still have considerable auditing experience outside of the organization, and all
share a positive attitude toward the office, to continuing professional
development, and to the audit function at the University. Teamwork is apparent
in the written records supporting audits (meetings, interview participation, and
workpaper review), and was apparent during the site visit. Informal and formal
meetings and discussions are common in the office, and the quality and scope of
supervision appeared appropriate – both from the Audit Director and from several
experienced team members, two of whom served leadership roles in the
organization during a recent transition.

Strong and direct reporting to the audit committee – The Audit and Finance
Committee is a subset of the Trustees, and meets regularly. Agendas and meeting
minutes are shared among all trustees, and meetings are public. Based on my
review of public documents and in meetings including an interview with the Chair
of the Finance and Audit Committee, I was impressed with the high level of
oversight by the Trustees generally and the Committee specifically. Additional
features to increase transparency included sharing quarterly updates on the audit
function, private time with the audit function in Finance and Audit Committee
meetings, and the fact that all contents of Trustee meeting packets are shared with
each Trustee – not only those Trustees on the Finance and Audit Committee.
Since FIU is a public institution, the presence of public observers and media
members in meetings of the Committee serve to further increase public
transparency and oversight of FIU and audit office operations. The Audit
Director also has direct communication with the Finance and Audit Committee
Chair, both through scheduled updates, Committee meetings, and the potential for
ad-hoc or emergency communication.

Strong communication with executive management – The Office of the
President is clearly involved with and interested in the reports and operations of
the audit function. This regular communication and support – including financial
support and organization-wide commitment to implement audit recommendations
– was apparent through reviewing recent audit reports, management responses,
interviews, and the organization’s support for internal auditing through a recent
series of controversial investigations which resulted in public and media attention.
6

Appropriate reporting authority – The internal audit function used to report
administratively through the General Counsel’s office. This placed reporting at
least two layers below the top layer of executive management (the Office of the
President). Now, internal audit reports through the President’s Chief of Staff,
rather than through the legal department. With the direct-line of communication
with the Office of the President, and the strong audit committee involvement
discussed above, this reporting relationship appears appropriate and is placed at a
higher organizational level than past practices.

Clear and convincing reporting – The audit reports and working papers I
reviewed were well-structured, clear, concise, and supported the
recommendations made in the reports. In addition, the audit reports have
withstood scrutiny from public, media, and management attention. Reports and
office information are posted on the organization’s web site, further enhancing
transparency and accountability.

Well-supported reports with extensive working papers – The working papers I
reviewed were clear and complete, and contained evidence of appropriate review.
Reports and details were well-supported with audit evidence, including specific
evidence for several recent investigative reports I reviewed.

Commitment to specific areas of auditing, including fraud auditing,
information technology auditing – The audit activity is committed to
completing the audit work planned for in its annual risk assessment, as well as to
a highly-responsive process to answer current calls for investigative work. In
addition, the office has bolstered its capacity to conduct information technology
auditing through its hiring of a highly-experienced IT professional to conduct IT
audits. Audit office management, as well as University management, are
committed to selecting high-risk topics and to completing and releasing valueadded audit reports on these topics. The high level of communication with the
Finance and Audit Committee (discussed above) serves as both a catalyst for good
topic selection and appropriate reporting, as well as a safeguard for good audit
reports following standards to be well-supported in the organizations. In some
organizations, focus on critical and important areas can bring criticism of the
audit function. Here, though, with management and Finance and Audit
Committee involvement, the audit function appears well-supported to conduct
important and sensitive work.

Commitment to professional development and participation in professional
associations and training – The internal audit office is clearly committed to
professional development for its staff and to participation in professional
associations. Further enhancement of the budget process that allows the office to
identify and fund training and memberships throughout the year is appropriate, as
is the office’s focus on external training, where appropriate, to bolster staff skills.
7

Commitment to quality improvement, including this self-assessment and
independent validation – Quality efforts like self-assessments with independent
validation and up to a full external quality control review are important under the
IIA’s Standards, as well as to organizational improvement generally, and
sustaining the high view the organization places on the audit function.

Commitment to risk assessment by the audit function and risk reduction by
the organization – Management and the Finance and Audit Committee seem
both aware of and highly interested in risk assessment and risk reduction in the
organization – and are convinced of the important role internal audit plays in
identifying and auditing to the risks that face the organization. The university
“sees the value of and understands this role of internal audit,” according to an
executive manager.
8
POTENTIAL CHALLENGES
Florida International University’s internal audit function is a well-managed and wellstaffed professional audit office, with excellent access to senior management and to the
audit committee. The following areas for consideration are possible challenges to the
internal audit function, and also result in specific suggestions for improvement:

The IIA Attribute Standard for Purpose, Authority, and Responsibility requires
that the nature and definition of internal auditing services must be included
in the Charter for internal auditing – specifically, the proposed language in the
self-assessment could be amended to the Charter (see p. 2 of the October 2009
Self-Assessment). This language could formally document the purpose, authority
and responsibility for FIU’s audit function in the charter.

IIA Standards require quality assurance – this current effort is appropriate (to
conduct a self-assessment with independent validation) – and can be more fully
linked to the Standards with a full external quality assurance review every five
years.

In conclusion, the only areas where the self-assessment found non-compliance
with Standards are in two key areas (linked to the points above) – First, a need for
clearer definitions enshrined in the Charter; Second, a more frequent and robust
quality assurance review. Implementation of the Charter change, and an
organizational commitment to provide more frequent quality assurance reviews,
will also help the internal audit function with a third area – allowing it to continue
to use the statement that the office “conforms with the International
Standards for the Professional Practice of Internal Auditing” in each of its
written reports.
9
OPPORTUNITIES FOR IMPROVEMENT AND
RECOMMENDED ACTION ITEMS
From Above (Potential Challenges, p. 9) – two main opportunities for improvement from
the self-assessment:



Effect change in Charter language as described above and in the selfassessment.
Commit to more regular quality assurance activities.
As Charter is clarified, use reporting language to indicate conformance with
Standards.
Additional opportunities:

Clarity/Responsibility for Budget and Resources – FIU management clearly
supports the internal audit function, and has provided specific financial support
for office equipment, quality assurance activities, and training. Recent support,
pending an adequate budget, has been “ad-hoc” and on a case-by-case basis,
rather than stemming from an initial budget directed by the audit activity. In
future fiscal years, an initial budget amount, directed by the audit activity, could
bolster the independent decisions of the audit function rather than requesting
funds on a case-by-case basis from other FIU offices.

Revise Operations Manual – The existing 2006 Operations Manual for the
internal audit function appears appropriate, but due to recent leadership transitions
and a new reporting authority, the Manual should be revised to reflect current
operations. This revision is underway.

Specific Software Needs – The capacity to perform database queries
independently is an important one, since auditors would not need to request data
from management, but can directly query databases. The office may have
additional needs now and in the future, and the first opportunity on
“Clarity/Responsibility for Budget and Resources” could help the audit office
quickly and nimbly respond to its needs within an approved budget as situations
warrant in the future.
10